Skip to main content

Comments

89 comments

Date Votes
  • morrow95
    FYI, things were working well last night... I had several domains install a new cert (including hostname requests). It's like Sectigo was watching us post and got with the program. lol j/k But try a manual check and see what you get. Of course it could be just as bad again now, but overnight it was zipping along. (Load changes, I'm sure.) My point is, you CAN get them to go through, just have to retry a few times. Switching to LE is a better use of time though.

    The 'Run AutoSSL For All Users' button in WHM doesn't do anything with hostnames/services cert though - or at least doesn't show anything in the logs there for it. The main certificate I am worried about that expires soon is the certificate for my services ('Manage Service SSL Certificates' in WHM) that covers the following : hostname.com cpanel.hostname.com cpcalendars.hostname.com cpcontacts.hostname.com mail.hostname.com webmail.hostname.com whm.hostname.com www.hostname.com
    0
  • cPRex Jurassic Moderator
    @morrow95 - the hostname certificate is handled through /usr/local/cpanel/bin/checkallsslcerts
    0
  • PeteS
    The 'Run AutoSSL For All Users' button in WHM doesn't do anything with hostnames/services cert though

    Came here to say what cPRex said ( /usr/local/cpanel/bin/checkallsslcerts ) and that both were doing well last night.
    0
  • morrow95
    Still received the auto expiration emails this morning for dovecot, exim, cpanel, but when I checked WHM the service ssl cert finally did update and is good till sometime in April now. I can only assume those were checked before the actual cert was installed so tomorrow there shouldn't be any notifications. Just a friendly reminder to those of you that actually had certs expire on you. Turn on notifications in WHM for certs. That way the worst case scenario is you'll have some time to manually install a cert where needed.
    0
  • PeteS
    Just a friendly reminder to those of you that actually had certs expire on you. Turn on notifications in WHM for certs. That way the worst case scenario is you'll have some time to manually install a cert where needed.

    I see no notification option for a cert expiring. Where are you seeing this? (Service SSL, and non-autoSSL certs, yes, but not autoSSL certs.)
    0
  • morrow95
    I see no notification option for a cert expiring. Where are you seeing this?

    'Manage AutoSSL' in your side menu then click on the 'options' tab.
    0
  • PeteS
    'Manage AutoSSL' in your side menu then click on the 'options' tab.

    Ah, thanks, but I forgot to mention that area as well... I have "ALL" selected for administrators and yet I don't get notices when a cert expires. (Additionally, per docs and my testing, it appears that all this does is enable/disable options in cPanel " Home " Preferences " Contact Information for autoSSL. I have everything enabled, and get notices of installs (off by default but I turned it on to test), but when a cert expires I get no notice. Can you confirm whether expiration notices work for you? @cPRex am I misunderstanding how this should be working?
    0
  • Vandenhole
    The same goes for my side, it's been 2 days that I have error 503 or 504 on the order: checkallsslcerts Does Cpanel have any information to give us? Thanks in advance
    0
  • cPRex Jurassic Moderator
    WHM >> Contact Manager has "Service SSL Certificate Expires Soon" and "SSL Certificates Expiring" options. @Vandenhole - I don't have anything new to report on my end.
    0
  • PeteS
    WHM >> Contact Manager has "Service SSL Certificate Expires Soon" and "SSL Certificates Expiring" options. @Vandenhole - I don't have anything new to report on my end.

    It also has "Service SSL Certificate Expiration," which is exactly what I'm wanting, and they work as expected for the service SSL cert. But where is the equivalent for autoSSL certs? That's what I'm talking about. I don't get notified when they expire! Notification options for autoSSL are only the following:
    • AutoSSL cannot request a certificate because all of the website"s domains have failed DCV (Domain Control Validation). This setting takes effect only when "Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV (Domain Control Validation)." is enabled in WHM"s "Manage AutoSSL" interface.
    • AutoSSL has deferred normal certificate renewal because a domain on the current certificate has failed DCV (Domain Control Validation). This setting takes effect only when "Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV (Domain Control Validation)." is enabled in WHM"s "Manage AutoSSL" interface.
    • AutoSSL has installed a certificate successfully. This setting takes effect only when "Notify when AutoSSL has renewed a certificate successfully." is enabled in WHM"s "Manage AutoSSL" interface.
    • AutoSSL has provisioned a new certificate for a dynamic DNS domain.
    • AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured. This setting takes effect only when "Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured." is enabled in WHM"s "Manage AutoSSL" interface.
    • AutoSSL has renewed a certificate, but the new certificate lacks one or more of the website"s domains. This setting takes effect only when "Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website"s domains." is enabled in WHM"s "Manage AutoSSL" interface.
    • AutoSSL will not secure new domains because a domain on the current certificate has failed DCV (Domain Control Validation), and the certificate is not yet in the renewal period.
    0
  • cPRex Jurassic Moderator
    I don't think there is such a warning, currently. The "expiring" warning would start notifying you 25-30 days ahead of time. If you haven't got that message by then, an additional expiration notification likely won't help.
    0
  • PeteS
    I don't think there is such a warning, currently. The "expiring" warning would start notifying you 25-30 days ahead of time. If you haven't got that message by then, an additional expiration notification likely won't help.

    Sorry, but no, those notifications ARE sent for the service SSL, and I get them. I don't see any setting for a 25-30 day warning notification for autoSSL either in the above list, or the one from docs below, nor is there an autoSSL expiration notice that I can find. About autoSSL Options docs say: "Administrator Notifications You can select from the following notification options for your reseller and WHM users:
    • Notify the administrator for all AutoSSL events and normal successes.
    • Notify the administrator for AutoSSL certificate request failures, warnings, and deferrals.
    • Notify the administrator for AutoSSL certificate request failures only.
    • Disable AutoSSL administrator notifications.
    This setting defaults to Notify the user for AutoSSL certificate request failures, warnings, and deferrals." I would have thought the difference between the top two options would include expiration notices, but it doesn't. (What is the difference, by the way?) Can you please check with devs to see if indeed autoSSL (not talking abour service SSL cert) is supposed to send notification of either soon to expire or expired autoSSL certs?
    0
  • cPRex Jurassic Moderator
    What about the details mentioned here -
    0
  • PeteS
    What about the details mentioned here - simplified for consumption by users based on feedback we received from the user base, but we retained the more granular configurations in the API..." This is telling me they can/may be enabled. First I need to know if 10 day, 30 day, etc. warnings, and the expired warning, are supposed to be work already, and which WHM settings control them all as a block. I want to know which notifications are enabled by the "simplified" WHM settings, without using an API. Either complete docs, or an inquiry/response from devs is what I need. Thanks!
    0
  • cPRex Jurassic Moderator
    At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team?
    0
  • PeteS
    At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team?

    Sorry, but am I? I'm not getting autoSSL expiration warnings, nor expiring soon warnings. Where can I look on the server to see the actual current configuration? And I just found the defaults listed on the API page: Note: For reference, the system preconfigures AutoSSL metadata keys to the following values:
    • The value for clobber_externally_signed defaults to 0.
    • The value for notify_autossl_expiry defaults to 1.
    • The value for notify_autossl_expiry_coverage defaults to 1.
    • The value for notify_autossl_expiry_coverage_user defaults to 1.
    • The value for notify_autossl_renewal defaults to 1.
    • The value for notify_autossl_renewal_user defaults to 1.
    • The value for notify_autossl_renewal_coverage defaults to 1.
    • The value for notify_autossl_renewal_coverage_user defaults to 1.
    • The value for notify_autossl_renewal_coverage_reduced defaults to 1.
    • The value for notify_autossl_renewal_coverage_reduced_user defaults to 1.
    • The value for notify_autossl_renewal_uncovered_domains defaults to 1.
    • The value for notify_autossl_renewal_uncovered_domains_user defaults to 1.
    It looks like the second one is expired notification and should default to ON. But this is not happening, nor are expiring soon warnings. Also in the API I see no mentions of settings for soon expiring warnings. How do I get more docs on this functionality?
    0
  • cPRex Jurassic Moderator
    I don't have any additional details on my end. Could you make a ticket for this and then we can escalate it as necessary?
    0
  • PeteS
    I don't have any additional details on my end. Could you make a ticket for this and then we can escalate it as necessary?

    I don't have any domains up for renewal (failure/expiration...) until Feb. Seems like I should wait until then. I don't want to opena ticket without an issue (only asking for feature documentation).
    0
  • PeteS
    Ticket #94523546
    0
  • cPRex Jurassic Moderator
    Thanks!
    0
  • ejsolutions
    Looks to me that there is a bug. I began receiving the hostname warning certificate and checked in WHM, noting that I had Let's Encrypt enabled for auto SSL. Surely, if cPanel doesn't support hostname Let's Encrypt and/or tests aren't going to cPanel, then the following shouldn't happen? [QUOTE]The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request "POST ssl/certificate/whm-license/90-day": We were unable to process your request. Please try again later.
    it shouldn't be attempting to do this at all, when Let's Encrypt is enabled - unless cPanel has plans to make the feature available. Switching temporarily to cPanel auto SSL cleared the error and allowed the service SSLs to update.
    0
  • quietFinn
    @ejsolutions that error comes from hostname certificate, and it's renewed by cPanel, nothing to do with AutoSSL.
    0
  • ejsolutions
    I beg to differ (if you read again what I wrote) but I won't argue my case, as it's now renewed and I have other things that need my attention. If my observation isn't accepted then I'm fine with that. ;)
    0
  • cPRex Jurassic Moderator
    @ejsolutions - at this point, the hostname certificates are still renewed through Sectigo. Let's Encrypt can only handle domain SSLs. They are also separate tools. You could disable AutoSSL completely and still receive the free hostname certificate.
    0
  • PeteS
    At this point, you're getting everything you're supposed to. Could you make a feature request with what all you're looking to see added and I can get that over to the team?

    As a followup to the question of AutoSSL (only) cert expiration notifications... I learned via the ticket regarding the Sectigo renewal failures, that this notification is ONLY available via API. (Odd!) Here are the API docs showing it (search notify_autossl_expiry): Update AutoSSL metadata via JSON I have opened a feature request to have it added to WHM. Please up-vote if you agree!
    0
  • cPRex Jurassic Moderator
    I did see that, got it approved, and added to this week's meeting!
    0
  • ejsolutions
    You might like to address the insistence of AutoSSL trying to renew non-existent subdomains on DNS Only installations. For example: [xxx.xxx.com] The SSL (Secure Sockets Layer) certificate for "exim" on "xxx.xxx.com" will expire in less than 30 days. [xxx.xxx.com] The SSL (Secure Sockets Layer) certificate for "cpanel" on "xxx.xxx.com" will expire in less than 30 days.
    Perhaps it's purely down to bad defaults in DNZ Zone creation, during DNS Only installation - I haven't investigated.
    0
  • quietFinn
    That's about Service SSL Certificates, nothing to do with AutoSSL.
    0
  • ejsolutions
    My bad. :|
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post